Story image

Locky ransomware's 'rebirth' puts everyone at risk once again

21 Aug 17

The Locky ransomware is back and using social engineering in another round of email-based attacks on tens of thousands of users, according to a new report from Comodo’s Threat Intelligence Lab.

The company is calling the resurgence of Locky a ‘rebirth’, noting that the new ransomware campaign began on August 9 and is continuing to appear in inboxes.

The attack is housed in email with an attachment and either little or no content in the body. The attachment name varies, however the basic format is the same: “E 2017-08-09 (580)”. While the extension and filenames ‘(580)’ change frequently, the email always contains an unknown file.

According to researchers, the attachment downloads IKARUSdilapidated, which is the newest variant of Locky.

Because it is a new variant, most organisations’ security programs read it as an ‘unknown file’. For those who do not use a ‘default deny’ security posture, they could easily be infected by the ransomware, Comodo claims.

‘Default deny’ security postures work by denying all unknown files until they are verified as ‘good’ files.

When users click on the attachment, macros save and run a file that contains the Trojan. That Trojan then encrypts all files that match certain extensions.  Users are then asked to download anonymous browsing platform Tor, which is used to facilitate the ransom demand.

The ransom amount varies between 0.5-1 bitcoin, which is equal to NZD$2773-$5546.

While most targets have been in Indonesia, India, Vietnam, India and Mexico, the phishing campaign is targeting 11,625 across 133 different countries.

Most victims have been telecommunications firms and Internet Service Providers. Researchers suggest these industries have been targeted to set up a botnet with a complex command and control architecture.

Comodo Threat Intelligence Lab head Fatih Orhan says that the attack was an interesting case in terms of its sophistication and scale of attack through the botnet.

“When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to analyze and identify the code in the file and render a verdict; in this case the verdict was “bad” and we’ve now added it to our blacklist and malware signature list,” he says.

The Locky ransomware has been through many iterations since its 2016 discovery. It generally used the same tactic of an email with an attachment that runs the code and launches the ransomware.

According to Malwarebytes researchers, the Locky malware is difficult to predict.

“Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more,” Malwarebytes researchers state in a blog.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” they conclude.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.